4 Answers
4

Very wrong, the basic form of XSS is Reflected XSS, where the payload is sent in the URL (for example) from the victim himself.
This is most commonly used in phishing attacks, where the attacker crafts the malicious link, and mails it in social engineering attacks to his victims, or posts it on public forums, etc.
In general XSS has nothing to do with database (unless it's Persistent / Stored XSS).

A website without a database has no credentials, so I still don't see how XSS could be dangerous.
–
BlueRaja - Danny PflughoeftJul 25 '11 at 18:52

3

@BlueRaja, your statement has two misconceptions: (1) a database is the only way to store credentials, (2) and stealing credentials is the only danger of XSS. A better way of looking at XSS would be: Misusing the trust a user has for a website. In other words, even if there are no credentials, an attacker could use XSS to do anything the user allows the site to do: run scripts, modify the page, provide information, redirect to other sites, etc.
–
AviD♦Jul 25 '11 at 20:02

There are many ways XSS can exploit and do much damage without it having to be stored in a database. Remember that the XSS can even be stored in cookies!

However if you are only talking about non-persistent- reflected-XSS it is still very dangerous, but more from a social engineering point of view. This is because you have to actually distribute the XSS payload instead of it spreading on its own. Means of distribution of the payload can be for example:

Emailing suitable victims

Posting the URL on forums, boards, twitter. Often with the help of URL shorteners

On memory sticks. for example disguising XSS in the readme files of a program you give away for free on an USB stick.

A good example of the dangers of XSS with or without a database attached can be seen from the BEEF Project. This shows some of the things that can be done to a users browser once it's been affected by a XSS issue.

If you look at the youtube videos on this page there's some good examples of what can be done.